Delivery-date: Tue, 26 Mar 2024 11:39:04 -0700 Received: from mail-oo1-f64.google.com ([209.85.161.64]) by mail.fairlystable.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.94.2) (envelope-from ) id 1rpBhQ-0005al-Gz for bitcoindev@gnusha.org; Tue, 26 Mar 2024 11:39:04 -0700 Received: by mail-oo1-f64.google.com with SMTP id 006d021491bc7-5a1d14ca2absf5324247eaf.0 for ; Tue, 26 Mar 2024 11:39:04 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1711478338; cv=pass; d=google.com; s=arc-20160816; b=y7AcaHkxFF9qM9QTDE+isz7gMPw0GW7B51pwhIHSgp2b4QTjZH+4qLJJBw5t4Z5zA1 uaMDqWnrXCMPIeVWtgqfgp0vDcjD5eBeHoGBbslGUeBtmcw+3OgE11ya1B6vSxw74qPq gJoIFsSTWzn7xtaNBrsupW7xXoTGl95uzKlGdUe53PhdaDOoZljQ6GmbLfpcOVgjAzC9 gSmhWzUNtlV8xhAfAKyJn6zgb/j/VNCcXRD4tHkuLlHvMKwxbxO+i8PD+TDzrbdeNrP8 QlKwcswRH8RxKCZPLF3fhqapNVv0JvaNGK4PecOhKuUkl6hey4i1yss5VOWAzQDBiB18 Ya5A== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:message-id:user-agent:references :in-reply-to:subject:cc:to:from:date:mime-version:sender :dkim-signature; bh=U4YzP4tnq/yPOs43k4cjbYbXh6hD5GaxnI/WGVlSBFE=; fh=moLVZxZkuyMi2Uc6khBP8ZPSJHN1hMRPOvjakymrq14=; b=ULcuSA3GYN2n6dTum4tVIV/s7vKG5PnyTodTcMvvyu8a25CZPn/uozUG9WtSzIsrAF A+g72eutqgC629fOE86YCYFXrqZcxr+C5LPg2uFB01zLiwOlNpfZCcY+fbQF7QBLaG8r 6uEDdsBAxL6aVtgJgLkCvqHPytu7BMfMYx2TZJHnwDMfXbxvxh7s7rFI+aZjRZ33OZI+ i5vzu3tZJMzK8RRJFsBu49PUTlaflX5G8NZ2jVPoCOz4RMGiOmrguIdftDvTPLRKtd0c dhjuKUa3aMgNK4Fr0Zl4xqgqfEMdgV21j20cvztAHpxPFR4LUHvvJnIrAWfUihvqBqRF OnNA==; darn=gnusha.org ARC-Authentication-Results: i=2; gmr-mx.google.com; spf=pass (google.com: domain of dave@dtrt.org designates 2607:fe70:0:3::d as permitted sender) smtp.mailfrom=dave@dtrt.org DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlegroups.com; s=20230601; t=1711478338; x=1712083138; darn=gnusha.org; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:x-original-authentication-results :x-original-sender:message-id:user-agent:references:in-reply-to :subject:cc:to:from:date:mime-version:sender:from:to:cc:subject:date :message-id:reply-to; bh=U4YzP4tnq/yPOs43k4cjbYbXh6hD5GaxnI/WGVlSBFE=; b=iuVEdpBdmFFMxG31gUMg99G5x3JrNyYXx4k14V2f/WesJgU25not/B1ZfkDcqFsUYO vIKFwiU04/sbTnsxxRzB0GY5fXHRn65I+V2kDTohj66YIXb5ZTKttfC+ndJATrHJAX1e GNCFEwWIkcjJNlZo5QKMe/htH9j98R8vLGa+78wNCWlr4M18OT5ZVzB+Mk8dQlJ5wdpr QGkvvCD9VQxOG8SIER4rIsqebuNiqmSNFgKIEx+pbC6UnmNjbPCKM5dReUiI78BKpBit dt8t1OUx2vME0Y/vUaovQNSkJNRjXUCNkzogYdY1Y3UkCzkeccqmJ1xW9VDEBnoVkJHV /2wg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1711478338; x=1712083138; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:x-original-authentication-results :x-original-sender:message-id:user-agent:references:in-reply-to :subject:cc:to:from:date:mime-version:x-beenthere:x-gm-message-state :sender:from:to:cc:subject:date:message-id:reply-to; bh=U4YzP4tnq/yPOs43k4cjbYbXh6hD5GaxnI/WGVlSBFE=; b=w6NRk8m0XAXmK4Jwq3/ilyH8TpxmVlIwnDXVG7ppRz91kFpjOV6cOg288EYFQynnv0 N3qEpHFzKge29pFYwZd2hrC571FG1lQNqGTV4ELeaGZMxnn+FsE3my8MFd+tZZsRN9/9 FOCoxGmyFvwVTRRZQoCpoKXEYttlmQMhGKN4jmah6sy8sJDJi1Y9ho1CJvoyTmj/IQaz lntbEpiQA8GCdDOzV30QxtDZkoRQIVDDIVR/D02usHKO12JffEtnHv3jJqW1o59u34TT pc1s7qYxfRfRQ+uyjkoQWrDDjSBWNP9rVXpUXBubcMNRGlGRwR7UaUoONjphIb/DSWWY 4Qhg== Sender: bitcoindev@googlegroups.com X-Forwarded-Encrypted: i=2; AJvYcCWLCJK16CRYTGx6vhVJ7891U6hiV9QxVO9/wPOkdYPAgmd6Gnsztb2O9T/I90iOJNFBnd8Snb3kldWswKwhIT19Slm4mRU= X-Gm-Message-State: AOJu0YxsOXATuG2+VlQ1mce+3uYS9f78JAcyRd5RPgjQj4T+025Qd16F ZT81Q8zJxj581cVrE8PaHCu7plqCuTcmxqGJdiV222kQz4Z/B1kq X-Google-Smtp-Source: AGHT+IEMJ9Z5cD+WwvYQbLDyjWJ5asXfWBCvWqvqLuWdyETAsdBflNrrOnspciEZDV4/r4H7TQURMQ== X-Received: by 2002:a05:6820:1e02:b0:5a4:b99f:83c7 with SMTP id dh2-20020a0568201e0200b005a4b99f83c7mr10141501oob.9.1711478338361; Tue, 26 Mar 2024 11:38:58 -0700 (PDT) X-BeenThere: bitcoindev@googlegroups.com Received: by 2002:a4a:e1aa:0:b0:5a5:37c6:7e3a with SMTP id 10-20020a4ae1aa000000b005a537c67e3als3275278ooy.0.-pod-prod-05-us; Tue, 26 Mar 2024 11:38:57 -0700 (PDT) X-Received: by 2002:a05:6830:906:b0:6e6:efba:ba7d with SMTP id v6-20020a056830090600b006e6efbaba7dmr27962ott.1.1711478337116; Tue, 26 Mar 2024 11:38:57 -0700 (PDT) Received: by 2002:a05:6808:3098:b0:3c3:cc09:ef6d with SMTP id 5614622812f47-3c3de96a8cbmsb6e; Tue, 26 Mar 2024 11:36:50 -0700 (PDT) X-Received: by 2002:a17:902:c211:b0:1e0:64bd:51ac with SMTP id 17-20020a170902c21100b001e064bd51acmr9207295pll.22.1711478209817; Tue, 26 Mar 2024 11:36:49 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1711478209; cv=none; d=google.com; s=arc-20160816; b=ZeIIxk7dT15lfXArPhCOQR9U2XmX6+THpSJV157WY8j27aZvqTpBpLW3FSkYL98JTd 4JghZt31t/DtricVhcN7Fpm8R37NxhZcOY24DwSK9sJp6dVAUzAt6ipmF0Y7As1dvJfQ r8mDyOfRhEImOhYAaZbP4TVTCk3j8AO37EixRgXVfKa+D3iD/uKqCI2RQTIZVH4JW/pn s/ea56PShxO+ScJ8GkhXnXsZk7lC4drxDhy6ZV+bAs6q/y4Y/ea3VJeyoVsRfN5H58kt j0c+LTcj94ysV41yl6vI8lLV5Dt4YS0LWiIYfYy6j/rhWyu4eEHVFuxS973eFNFWPTRU CXXg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:message-id:user-agent:references :in-reply-to:subject:cc:to:from:date:mime-version; bh=7IYB95fXrz4G1lbva2Mf6ct+e3abLCFs1NTOfFaKtE8=; fh=psWP3UCtCzzPEOUoUzVM9ZZK8adYsTeWDAKCd6L5Zok=; b=QBzeYWQoYwBon9FLilf4hj5e8HBb2Xob1awvOHRCar3mzzDo4oiZFsHywe1FnHrHbb qG6gCgS/EbstmT+JFGMEC93IzH3hluiiQj4ufPh+DCMmpaKM+Wq7smUFeDxrWZGupSew Gy+7xvl5KBIxlkLKYQm+NOJTwPCHqucvWsTOizswCP39RzIgYlrNGWuPTiCTC3TfL3xh t/Zn4LNtx5GPfZ8cj+gjPS8wyG5XZ8XeX3SI1AKPN07DBASvsYYEJEF6HSWPl9Hr4oSF ow6YfkcaIUsyftEvxVjb3nEhKwdT2e8lRnNlNqYIey7rNjGA70Rca+/oKKBfVCwo08qH rthQ==; dara=google.com ARC-Authentication-Results: i=1; gmr-mx.google.com; spf=pass (google.com: domain of dave@dtrt.org designates 2607:fe70:0:3::d as permitted sender) smtp.mailfrom=dave@dtrt.org Received: from smtpauth.rollernet.us (smtpauth.rollernet.us. [2607:fe70:0:3::d]) by gmr-mx.google.com with ESMTPS id kc12-20020a17090333cc00b001dcd7469086si496861plb.4.2024.03.26.11.36.49 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 26 Mar 2024 11:36:49 -0700 (PDT) Received-SPF: pass (google.com: domain of dave@dtrt.org designates 2607:fe70:0:3::d as permitted sender) client-ip=2607:fe70:0:3::d; Received: from smtpauth.rollernet.us (localhost [127.0.0.1]) by smtpauth.rollernet.us (Postfix) with ESMTP id 3D31B280004A; Tue, 26 Mar 2024 11:36:46 -0700 (PDT) Received: from webmail.rollernet.us (webmail.rollernet.us [IPv6:2607:fe70:0:14::a]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (Client did not present a certificate) by smtpauth.rollernet.us (Postfix) with ESMTPSA; Tue, 26 Mar 2024 11:36:45 -0700 (PDT) MIME-Version: 1.0 Date: Tue, 26 Mar 2024 08:36:45 -1000 From: "David A. Harding" To: Peter Todd Cc: bitcoindev@googlegroups.com Subject: Re: [bitcoindev] A Free-Relay Attack Exploiting RBF Rule #6 In-Reply-To: References: User-Agent: Roundcube Webmail/1.4.15 Message-ID: <012f89763cc336cd91eec13dccefc921@dtrt.org> X-Sender: dave@dtrt.org Content-Type: text/plain; charset="UTF-8"; format=flowed X-Rollernet-Abuse: Contact abuse@rollernet.us to report. Abuse policy: http://www.rollernet.us/policy X-Rollernet-Submit: Submit ID 29b0.660315bd.c5057.0 X-Original-Sender: dave@dtrt.org X-Original-Authentication-Results: gmr-mx.google.com; spf=pass (google.com: domain of dave@dtrt.org designates 2607:fe70:0:3::d as permitted sender) smtp.mailfrom=dave@dtrt.org Precedence: list Mailing-list: list bitcoindev@googlegroups.com; contact bitcoindev+owners@googlegroups.com List-ID: X-Google-Group-Id: 786775582512 List-Post: , List-Help: , List-Archive: , List-Unsubscribe: , X-Spam-Score: -0.8 (/) On 2024-03-18 03:21, Peter Todd wrote: > [...] the existence of this attack is an argument in favor of > replace-by-fee-rate. While RBFR introduces a degree of free-relay, the > fact > that Bitcoin Core's existing rules *also* allow for free-relay in this > form > makes the difference inconsequential. > > # Disclosure > > This issue was disclosed to bitcoin-security first. I received no > objections to > making it public. All free-relay attacks are mitigated by the > requirement to at > least have sufficient funds available to allocate to fees, even if the > funds > might not actually be spent. Could you tell us more about the disclosure process you followed? I'm surprised to see it disclosed without any apparent attempt at patching. I'm especially concerned given your past history of publicly revealing vulnerabilities before they could be quietly patched[1] and the conflict of interest of you using this disclosure to advocate for a policy change you are championing. -Dave [1] https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2018-June/016100.html -- You received this message because you are subscribed to the Google Groups "Bitcoin Development Mailing List" group. To unsubscribe from this group and stop receiving emails from it, send an email to bitcoindev+unsubscribe@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/bitcoindev/012f89763cc336cd91eec13dccefc921%40dtrt.org.